I'm looking for a script to send mail to admin, write to file option and send to user w/custom message if selected.

I've been looking over the links on this site to the scripts, and there are so many to wade through. The BNB is close but I'd need to change a few things..

At a glance, the limitations are the the autorespond. I'd like to send copy to user if selected. Also insert desired fields, along w/the custom message. I have a few other requirements too..

So this is what I think I'd need:

0) send to designated admin email or multiples. 1) set up order of fields when form processed/mailed. 2) ability to enter subject for email (this is done w/a hidden field on the form yes). 3) if admin responds to email from form, ability to click reply and users email is auto entered. 4) process/send copy to users email if selected. 5) If 4 is selected, then check to see that email address is entered (don't need to validate, trusting user to enter correctly). 6) select which fields are to be sent to user along w/custom message. 7) write form results to file option (along w/time, browser, referrer options). 8) redirect to pages: Success A. page for general thank you (option to send copy to user not selected). B. page for thank you, and display email address or other desired fields (when option to send to user is selected - via radio button). Fail A. If no email is entered and option is selected by user to send them a copy (4 above). 9) support checkbox and radio buttons (thought I saw somewhere this might be an issue. 10) prevent script access from other domains.

Hi Dave thanks for the suggestion but it won't send a copy to the sender/user/requestor - whatever. I've contacted the programmer (?) and they said the reason is to prevent spam. Although I don't see how they consider it to be spam if it is the person sending it.

If you're sending input that comes from the user to an email address that also comes from the user, then it's quite possible for that set-up to be used to send spam.

You have no way of knowing that the content that someone is submitting to you form isn't some kind of spam advert. And you have no way of knowing whether the email they give is actually theirs - it could be the address of a random person from the internet.

Combine those two facts with the fact that you can submit hundreds of web forms a minute using a very simple Perl program and you have perfect conditions for a spam engine.

No sensible formmail program will allow you to send user-submitted content to a user submitted email address.

I would think there would be many other less time consuming ways to send spam then looking for a form, maybe I'm wrong.

And this is only really useful to the spammer if the form contains text area correct? Not much use from a text field.. I suppose just the text field would be targeted, but then all of these messages that they would send would also have the name of field before their advert...

What about setting the program to not allow so many submissions within a time period. There is no way this particular application/setup will have much traffic.

There is no way to authenticate to prevent exploitation for spam purposes? This send copy to submitter is needed.

I would think there would be many other less time consuming ways to send spam then looking for a form, maybe I'm wrong.

Yes. Sorry, you're wrong. Spammers write programs that automatically probe web sites for insecure formmail programs. These probes send emails back to the spammers when an insecure installation is found.

They then use other programs which pretend to be a browser and submit hundreds of forms a minute to send out their spam.

In Reply To

And this is only really useful to the spammer if the form contains text area correct? Not much use from a text field.. I suppose just the text field would be targeted, but then all of these messages that they would send would also have the name of field before their advert...

That's right. They need to find the name of the text field and insert their advert there. But most formmail programs don't check the size of the data submitted for a field so the sheer size of the advert overwhelms any other data in the generated email.

In Reply To

What about setting the program to not allow so many submissions within a time period. There is no way this particular application/setup will have much traffic.

That's one suggestion. I've seen that implemented a few times.

In Reply To

There is no way to authenticate to prevent exploitation for spam purposes? This send copy to submitter is needed.

Of course, this is another way to block abuse. To force your visitor to register before they can send email using your formmail. This is how web mail programs solve the problem. But in most cases where you'd want to use a formmail, putting the extra registration step into the process would stop people from using the form.

Here's a simple experiment you can try. Do you have access to your web server's logs? Try looking in the error log on a server that doesn't have a formmail program installed. I can almost guarantee that you'll see a number of cases where people try to access formmail on the server. This will be the spammers programs probing the server for invunerabilities.

If you don't have access to the server logs thne take a look at this. The formmail.pl on my server simply dumps details of each request into this file, so you can see how frequently I get probed.